event bt_tracker_request(c: connection, uri: string, headers: bt_tracker_headers){
    if (c$id in sessions) {
        add sessions[c$id]$protocol["bittorrent"];
    }
}
event dce_rpc_request(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count){
    if (c$id in sessions) {add sessions[c$id]$protocol["dec_rpc"];}
}
event dhcp_message(c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options){
    if (c$id in sessions) {add sessions[c$id]$protocol["dhcp"];}
}
event dnp3_application_request_header(c: connection, is_orig: bool, application: count, fc: count){
    if (c$id in sessions) {add sessions[c$id]$protocol["dnp3"];}
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count, original_query: string){
    if (c$id in sessions) {
        add sessions[c$id]$protocol["dns"];
        add sessions[c$id]$dns_op_code[msg$opcode];
        add sessions[c$id]$dns_ip[c$id$resp_h];
        add sessions[c$id]$dns_host[query];
        sessions[c$id]$dns_ip_cnt=|sessions[c$id]$dns_ip|;
        sessions[c$id]$dns_op_code_cnt=|sessions[c$id]$dns_op_code|;

        local asn_res = lookup_autonomous_system(c$id$resp_h);
        local geo_res = lookup_location(c$id$resp_h);
        if(asn_res?$number){
            add sessions[c$id]$dns_asn[asn_res$number];
        }
        if(asn_res?$organization){
            add sessions[c$id]$dns_rir[asn_res$organization];
        }

        if(geo_res?$country_code){
            add sessions[c$id]$dns_geo[geo_res$country_code];
        }
        add sessions[c$id]$dns_status[base_errors[msg$rcode]];
        sessions[c$id]$dns_status_cnt=|sessions[c$id]$dns_status|;
    }
    print fmt("dns_request  msg:%s|query:%s|qtype:%s|qclass:%s|original_query:%s",msg,query,qtype,qclass,original_query);
}
event ftp_request(c: connection, command: string, arg: string){
    if (c$id in sessions) {add sessions[c$id]$protocol["ftp"];}
}
event gnutella_establish(c: connection){
    if (c$id in sessions) {add sessions[c$id]$protocol["gnutella"];}
}
event gssapi_neg_result(c: connection, state: count){
    if (c$id in sessions) {add sessions[c$id]$protocol["gssapi"];}
}

event ident_request(c: connection, lport: port, rport: port){
    if (c$id in sessions) {add sessions[c$id]$protocol["ident"];}
}
event imap_starttls(c: connection){
    if (c$id in sessions) {add sessions[c$id]$protocol["imap"];}
}
event irc_request(c: connection, is_orig: bool, prefix: string, command: string, arguments: string){
    if (c$id in sessions) {add sessions[c$id]$protocol["irc"];}
}
event krb_as_request(c: connection, msg: KRB::KDC_Request){
    if (c$id in sessions) {add sessions[c$id]$protocol["krb"];}
}
event rsh_request(c: connection, client_user: string, server_user: string, line: string, new_session: bool){
    if (c$id in sessions) {add sessions[c$id]$protocol["rsh"];}
}
event mime_begin_entity(c: connection){
    if (c$id in sessions) {add sessions[c$id]$protocol["email_mime"];}
}
event modbus_diagnostics_request(c: connection, headers: ModbusHeaders, subfunction: count, data: string){
    if (c$id in sessions) {add sessions[c$id]$protocol["modbus"];}
}
event mqtt_connect(c: connection, msg: MQTT::ConnectMsg){
    if (c$id in sessions) {add sessions[c$id]$protocol["mqtt"];}
}
event mysql_handshake(c: connection, username: string){
    if (c$id in sessions) {add sessions[c$id]$protocol["mysql"];}
}
event ncp_request(c: connection, frame_type: count, length: count, func: count){
    if (c$id in sessions) {add sessions[c$id]$protocol["ncp"];}
}
event netbios_session_request (c: connection, msg: string){
    if (c$id in sessions) {add sessions[c$id]$protocol["netbios"];}
}
event ntlm_negotiate(c: connection, negotiate: NTLM::Negotiate){
 if (c$id in sessions) {add sessions[c$id]$protocol["ntlm"];}
}
event ntp_message (c: connection, is_orig: bool, msg: NTP::Message){
 if (c$id in sessions) {add sessions[c$id]$protocol["ntp"];}
}
event pop3_request(c: connection, is_orig: bool, command: string, arg: string){
 if (c$id in sessions) {add sessions[c$id]$protocol["pop3"];}
}
event radius_message(c: connection, result: RADIUS::Message){
if (c$id in sessions) {add sessions[c$id]$protocol["radius"];}
}
event rdp_connect_request(c: connection, cookie: string, flags: count){
if (c$id in sessions) {add sessions[c$id]$protocol["rdp"];}
}
event rfb_client_version(c: connection, major_version: string, minor_version: string){
    if (c$id in sessions) {add sessions[c$id]$protocol["rfb"];}
}
event rpc_call(c: connection, xid: count, prog: count, ver: count, proc: count, call_len: count){
    if (c$id in sessions) {add sessions[c$id]$protocol["rpc"];}
}
event sip_begin_entity(c: connection, is_orig: bool){
    if (c$id in sessions) {add sessions[c$id]$protocol["sip"];}
}
event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool){
    if (c$id in sessions) {add sessions[c$id]$protocol["smb1"];}
}

event smb2_message (c: connection, hdr: SMB2::Header, is_orig: bool){
    if (c$id in sessions) {add sessions[c$id]$protocol["smb2"];}
}
event smb_pipe_connect_heuristic (c: connection){
    if (c$id in sessions) {add sessions[c$id]$protocol["smb"];}
}

event smtp_request (c: connection, is_orig: bool, command: string, arg: string){
   if (c$id in sessions) {add sessions[c$id]$protocol["smtp"];}
}
event snmp_get_request (c: connection, is_orig: bool, header: SNMP::Header, pdu: SNMP::PDU){
 if (c$id in sessions) {add sessions[c$id]$protocol["smtp"];}
}
event socks_request (c: connection, version: count, request_type: count, sa: SOCKS::Address, p: port, user: string){
 if (c$id in sessions) {add sessions[c$id]$protocol["socks"];}
}
event ssh_client_version (c: connection, version: string){
 if (c$id in sessions) {add sessions[c$id]$protocol["ssh"];}
}
global ja3_str: string="";

event ssl_established(c: connection){
    ja3_str=ja3_str[:-1];
    print "ssl_established";
    print ja3_str;

    local handle = md5_hash_init();
    md5_hash_update(handle,ja3_str);
    local ja3= md5_hash_finish(handle);
    print fmt("ja3:%s",ja3);#ja3:70a0c7cccf111a20b7ff80b91dbbea03

}

event ssl_extension(c: connection, is_client: bool, code: count, val: string) {
    if (is_client) {
        ja3_str+=fmt("%d,",code);
    }
}

event ssl_client_hello(c: connection, version: count, record_version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec, comp_methods: index_vec){
    print "ssl_client_hello";
    ja3_str=fmt("%s,",version);
    for (cipher in ciphers){
       ja3_str+=fmt("%s,",ciphers[cipher]);
    }
    local version_str = SSL::version_strings[version];
    print version_str;
    if (c$id in sessions) {
        add sessions[c$id]$tls_version[version];
        sessions[c$id]$tls_version_cnt=|sessions[c$id]$tls_version|;
        add sessions[c$id]$protocol["ssl"];
        add sessions[c$id]$tls_src_session_id[session_id];
    }
}
event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count){
    print "ssl_server_hello";
    print cipher;
    if (c$id in sessions) {
        add sessions[c$id]$tls_dst_session_id[session_id];
        add sessions[c$id]$tls_cipher[session_id];
        sessions[c$id]$tls_cipher_cnt=|sessions[c$id]$tls_cipher|;
    }
}
event connection_SYN_packet (c: connection, pkt: SYN_packet){
 if (c$id in sessions) {add sessions[c$id]$protocol["tcp"];}
}
event websocket_established (c: connection, aid: count){
 if (c$id in sessions) {add sessions[c$id]$protocol["websocket"];}
}
event xmpp_starttls (c: connection){
 if (c$id in sessions) {add sessions[c$id]$protocol["xmpp"];}
}
event icmp_echo_request(c: connection, info: icmp_info, id: count, seq: count, payload: string){
 if (c$id in sessions) {add sessions[c$id]$protocol["icmp"];}
}
event geneve_packet (c: connection, inner: pkt_hdr, vni: count){
 if (c$id in sessions) {add sessions[c$id]$protocol["geneve"];}
}
event vxlan_packet (c: connection, inner: pkt_hdr, vni: count){
 if (c$id in sessions) {add sessions[c$id]$protocol["vxlan"];}
}
event teredo_packet(c: connection, inner: teredo_hdr){
 if (c$id in sessions) {add sessions[c$id]$protocol["teredo"];}
}
event gtpv1_create_pdp_ctx_request (c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements){
 if (c$id in sessions) {add sessions[c$id]$protocol["GTPv1"];}
}